Hello,
Grant Taylor a écrit :
What you want to do is have a very similar rule to DNAT any outbound
traffic (coming in the internal interface to go out the external
interface) that is destined to the IP and / or port of the service
DNATed over to the internal IP / port as well. I.e.
iptables -t nat -A PREROUTING -i eth1 -d $PUBLIC_IP -p tcp --dport
443 -j DNAT --to-destination $PRIVATE_IP
And make sure that traffic forwarded from eth1 to eth1 is ACCEPTed in
the filter/FORWARD chain.
Now to prevent what I call a "TCP Triangle" you will need to SNAT the
internal traffic that is being redirected back to the $PRIVATE_IP so
that replies pass back through the router and back to the original
client rather than the $PRIVATE_IP replying directly to the original
client. (See 'Julian's TCP Triangle' page
"http://jengelh.medozas.de/images/dnat-mistake.png"; for a diagram.)
iptables -t nat -A POSTROUTING -o eth1 -s $PRIVATE_LAN/$NM -d
$PRIVATE_IP -j MASQUERADE
Note: You can use either the MASQUERADE or SNAT target depending on
your preferences or what ever is compiled in to your kernel. I chose
MASQUERADE so I did not have to take your routers internal IP in to
account in the rule(s) above.
Note both SNAT and MASQUERADE hide the real source address from the
server, which may be annoying for logging or access control purposes.
Source NAT is not required to avoid the "routing triangle" if the server
itself can route the return traffic to the NAT router. This can be
achieved with advanced routing on Linux. Alternatively, the router may
use the NETMAP target instead of SNAT or MASQUERADE to do a 1-to-1
mapping of the source address range into another range, so the original
source address can be retrieved.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
![http://jengelh.medozas.de/images/dnat-mistake.png"](http://jengelh.medozas.de/images/dnat-mistake.png"){kind=link}